Several vulnerabilities have been discovered in uscan, a tool to scanupstream sits for new releases of packages, which is part of thedevscripts package. An attacker controlling a website from which uscanwould attempt to download a source tarball could execute arbitrary codewith the privileges of the user running uscan.

The Common Vulnerabilities and Exposures project id CVE-2013-6888 hasbeen assigned to identify them.

For the stable distribution (wheezy), these problems have been fixed inversion 2.12.6+deb7u2.

For the testing distribution (jessie) and the unstable distribution(sid), these problems have been fixed in version 2.13.9.

We recommend that you upgrade your devscripts packages.

Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: http://www.debian.org/security/

With the fix for AST-2013-007, a new configuration option was added in order to allow the system adminitrator to disable the expansion of "dangerous" functions (such as SHELL()) from any interface which is not the dialplan. In stable and oldstable this option is disabled by default.To enable it add the following line to the section '[options]' in/etc/asterisk/asterisk.conf (and restart asterisk)

live_dangerously = no

For the oldstable distribution (squeeze), this problem has been fixed inversion 1:1.6.2.9-2+squeeze12.

For the stable distribution (wheezy), this problem has been fixed inversion 1:1.8.13.1~dfsg1-3+deb7u3.

For the testing distribution (jessie), this problem has been fixed inversion 1:11.7.0~dfsg-1.

For the unstable distribution (sid), this problem has been fixed inversion 1:11.7.0~dfsg-1.

We recommend that you upgrade your asterisk packages.

Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: http://www.debian.org/security/